---
title: Introduction to Hacking - Password Cracking
show-content: 1
layout: console
---

Nowadays, passwords are the only form of security on most websites and computer
systems. It has become one of the most common and easiest ways for a hacker to
gain unauthorised access to your computer or network.

Before we get into cracking passwords with programs, I will example a few
old-fashioned ways to obtain someone's password.

* **Social Engineering**: Social Engineering is when a hacker takes advantage of
trusting human beings to get information from them. For example, if the
hacker was trying to get the password of a co-workers computer, he (I will
use "_he_" for the examples, as being a hacker doesn't depends of a gender
or a sex) could call the co-worker pretending to be from the IT department.
The conversation could be something like:

    > **Bob**: "Hello Suzy. My name is Bob and I am from the IT department.
    > We are currently attempting to install a new security update on your
    > computer, but we can't seem to connect to the user database and extract
    > your user information. Would you mind helping me out and letting me know
    > your password before my boss starts breathing down my neck? It's one of
    > those days, ya' know?"

   Suzy would probably feel bad for Bob and let him know her password without
   any hesitation. BAM! She got social engineered. Now the hacker can do
   whatever he pleases with her account.

* **Shoulder Surfing**: Should surfing is exactly what it sounds like. The
hacker would simply attempt to look over your shoulder as you type your
password. The hacker may also watch where you glance around your desk, looking
for a written reminder or the written password itself.

* **Guessing**: If you use a weak password, a hacker could simply guess it by
using the information he knows about you. Some examples of this are: Date of
birth, phone number, favourite pet and another simple things like these.

Now that we have the simple low-tech password cracking techniques out of the
way, let's explore some high-tech techniques.

There are different ways a hacker can go about cracking a password.

* **Dictionary attacks**: A dictionary attack is when a text file full of commonly
used passwords, or a list of every word from the dictionary is used against a
password database. Strong passwords usually aren't vulnerable to this kind of
attack.

* **Bruteforce Attacks**: With time, brute-force attacks can crack any
passwords. Brute-force attacks try every possible combination of letters,
numbers and special characters until the right password is found. Brute-force
attacks can take a long time. The speed is determined by the speed of the
computer running the cracking program and the complexity of the password.

* **Rainbow tables**: A Rainbow table is a huge pre-compiled list of hash values
for every possible combination of characters. A password hash is a password that
has gone through a mathematical algorithm that transformed it into something
absolutely foreign. A hash is a one way encryption so once a password is hashed,
there is no way to get the original string from the hashed string. A very common
hashing algorithm used as security to store passwords in a website databases is
MD5.

  Let's say you are registering for a website. You put in a username and
password. Now when you submit, your password goes through the MD5 algorithm and
the outcome hash is stored in a database. Now since you can't get the password
from the hash, you may be wondering how they know if your password is right.
Well, when you login and submit your username and password, a script takes your
password and runs it through the md5 algorithm. The outcome hash is compared to
the hash stored in the database. if they are the same, your password is right
and therefore, you are admitted.

  If I were to run the word "**blacktraining**" through the md5 algorithm, the
outcome would be "**55dc3d1d607b784e80ef3fca0ec8eb8b**". Having huge tables of
every possible character combination hashed is a much better alternative to
brute-force cracking. Once the rainbow tables are created, cracking the password
is a hundred times faster than brute-forcing it.

* **Phishing**: Phishing is the process of stealing sensitive information, such
as username, passwords and bank information by pretending to be someone you are
not. An example of this, would be if you receive an e-mail from a hacker
pretending to be your bank. In this e-mail, it might tell you that you need to
update your account before it expires and then the hacker provides a link. Once
you click on the link, you arrive at a website that looks exactly like your
actual bank page. Actually, it's just a perfect replica and when you input your
login details, it sends to the hacker's email or stores it on his own web
server. Hackers that create the best, most deceiving phishing web pages are
knowledgeable in the area of HTML and the PHO programming.

[Index](/blog/intro_hacking/index)
